b' U.S. Department of the Interior\n Office of Inspector General\n\n\n\n\n           AUDIT REPORT\n\n\nGENERAL CONTROL ENVIRONMENT OF THE\n  FEDERAL FINANCIAL SYSTEM AT THE\n     RESTON GENERAL PURPOSE\n         COMPUTER CENTER,\n      U.S. GEOLOGICAL SURVEY\n\n             REPORT NO. 97-I-98\n               OCTOBER 1996\n\x0c                United States Department of the Interior\n                            OFFICE OF INSPECTOR GENERAL\n                                     Washington, D.C. 20240\n\n\n\n\nMEMORANDUM\n\nTO:\n\nFROM:\n\n\nSUBJECT SUMMARY:             Final Audit Report for Your Information - \xe2\x80\x9cGeneral Control\n                             Environment of the Federal Financial System at the Reston\n                             General Purpose Computer Center, U.S. Geological Survey\xe2\x80\x9d\n                             (No. 97-I-98)\n\nAttached for your information is a copy of the subject final audit report. This report presents\na summary of the draft audit report \xe2\x80\x9cStronger Controls Needed Over The Data Processing\nEnvironment At The U.S. Geological Survey, Reston General Purpose Computer Center,\xe2\x80\x9d\nissued by the Office of Inspector General, U.S. House of Representatives, on September 3,\n1996. We were informed by the House\xe2\x80\x99s Office of Inspector General that the information\npresented in this draft report is the same information that will be presented in their final audit\nreport. The objective of the audit was to evaluate the effectiveness of the general control\nenvironment surrounding the Federal Financial System and the processing of financial data\nfor the House.\n\nThe House Office of Inspector General\xe2\x80\x99s audit report identified 42 weaknesses and made 70\nrecommendations for corrective actions to the U.S. Geological Survey and one\nrecommendation for corrective action to both the Geological Survey and the House\xe2\x80\x99s Chief\nAdministrative Officer. The report identified weaknesses in data center management and\noperations; mainframe computer system physical and logical security; telecommunications\nsecurity; protection of the local area network from unauthorized access and use; and\ncontingency planning, including backup procedures for preventing data loss and for the\nrecovery of data in case of a disaster.\n\nThe Geological Survey and House management worked collaboratively with our office, the\nHouse\xe2\x80\x99s Office of Inspector General, and the contracted auditing team that performed the\nreview to resolve key issues. As a result of this collaborative effort, the Geological Survey\nwas able to take immediate corrective actions to resolve the deficiencies that could have\nadversely impacted the integrity and security of the processing of the House\xe2\x80\x99s financial data\non the Federal Financial System. The Geological Survey concurred with or proposed\nalternative recommendations for each of the report\xe2\x80\x99s recommendations. Based on the\nresponse, we considered 13 recommendations implemented and 58 recommendations\nresolved but not implemented.\n\x0cIf you have any questions concerning this matter, please contact meat (202) 208-5745 or\nMr. Robert J. Williams, Acting Assistant Inspector General for Audits, at (202) 208-4252.\n\n\nAttachment\n\x0c                                                                        H-IN-GSV-001-96\n\n\n            United States Department of the Interior\n                        OFFICE OF THE INSPECTOR GENERAL\n                                   Washington, D.C. 20240\n\n\n\n                                 AUDIT REPORT\nMemorandum\n\nTo:       Assistant Secretary - Water and Science\n\nFrom:\n         Acting Assistant Inspector General for Audits\n\nSubject: Audit Report on the General Control Environment of the Federal Financial\n         System at the Reston General Purpose Computer Center, U.S. Geological\n         Survey (No. 97-I-98)\n\n                                INTRODUCTION\nThis report presents a synopsis of the draft audit report \xe2\x80\x9cStronger Controls Needed Over The\nData Processing Environment At The U.S. Geological Survey, Reston General Purpose\nComputer Center,\xe2\x80\x9d issued by the Office of Inspector General,                 U.S. House of\nRepresentatives, on September 3, 1996. The audit, which was coordinated through our\noffice, was conducted by Price Waterhouse, LLP, under contract to the House\xe2\x80\x99s Office of\nInspector General. We are issuing this report because we are the cognizant audit agency for\nthe U.S. Geological Survey and because we want to ensure that the recommendations\ncontained in this report are included in our audit recommendation tracking system. The\nobjective of the audit was to evaluate the effectiveness of the general control environment\nsurrounding the Federal Financial System and the processing of financial data for the House.\n\nBACKGROUND\n\nThe Washington Administrative Service Center was established in 1987, within the\nGeological Survey, to direct the Department of the Interior\xe2\x80\x99s efforts to standardize\nadministrative systems. As part of this effort, the Geological Survey purchased the Federal\nFinancial System from American Management Systems, Inc., in 1987. The Service Center\nleases computer space from the Geological Survey\xe2\x80\x99s General Purpose Computer Center to\noperate the Federal Financial System on the Computer Center\xe2\x80\x99s mainframe computer. The\nsystem license purchased by the Geological Survey allows it to provide services to Federal\nagencies outside of the Department of the Interior. As such, the Geological Survey is able\nto provide the Federal Financial System as an interim financial management system to the\nU.S. House of Representatives.\n\nOn August 3, 1995, the Committee on House Oversight, U.S. House of Representatives,\n\x0cpassed a resolution mandating the implementation of a new financial management system\nfor House financial operations. The resolution required that the Chief Administrative\nOfficer, in consultation with the House\xe2\x80\x99s Office of Inspector General, implement the system.\nIn September 1995, the Chief Administrative Officer entered into an agreement with the\nGeological Survey to provide, on an interim basis, the Geological Survey\xe2\x80\x99s Federal Financial\nSystem for the processing of the House\xe2\x80\x99s financial data. The House\xe2\x80\x99s Office of Inspector\nGeneral determined that a review of the general control environment of the Federal Financial\nSystem was necessary to \xe2\x80\x9censure the integrity and security of the financial information to be\nprocessed on the system.\xe2\x80\x9d As a result, a contract was awarded to Price Waterhouse, LLP,\nin March 1996 to perform a review of the policies and general controls of operations of the\nGeological Survey\xe2\x80\x99s Federal Financial System at the General Purpose Computer Center in\nReston, Virginia.\n\nSCOPE OF AUDIT\n\nDirection for and oversight of the contracted audit were provided by the House\xe2\x80\x99s Office of\nInspector General, which coordinated with our office throughout the review. The contracted\naudit was made in accordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued by the\nComptroller General of the United States. Accordingly, the audit included such tests of\nrecords and other auditing procedures that were considered necessary under the\ncircumstances. The audit was performed from March through May 1996 at the General\nPurpose Computer Center.\n\nThe contracted audit included a review of the integrity, confidentiality, and availability of\ninformation resources for processing the House\xe2\x80\x99s financial data. The evaluation focused on\ngeneral controls, including the following: user authentication; prevention of the system and\ndata from unauthorized access, modification, and destruction; contingency plans in case of\nsystem destruction; and the backup and recoverability of data, systems, and\ntelecommunications in case operations are disrupted. To perform this review, the contractor\nperformed the following tasks:\n\n    - Documentation was obtained from and interviews were conducted with officials\nresponsible for system operations.\n\n    - Control techniques consistent with data security standards based on current industry\nstandards and Government guidelines were identified.\n\n    - An understanding of the computing and internal controls related to system data,\nincluding data integrity, security, and availability, was obtained.\n\n    - Key management controls and internal controls were assessed and tested.\n\n\n\n                                              2\n\x0c    - Third-party audit and security software tools were used to perform automated testing\ntechniques.\n\nIn addition, computer and information systems audit guidelines were used in evaluating the\neffectiveness of the Computer Center\xe2\x80\x99s management and operations.\n\nAs part of the review, the internal controls related to the integrity, confidentiality, and\navailability of the mainframe computer were evaluated. The contracted audit disclosed\ninternal control weaknesses related to the operating system, system access, security program\nand functions, network controls, and business continuity planning. These weaknesses are\ndiscussed in the Results of Audit section of this report. The recommendations, if\nimplemented, should improve controls in these areas.\n\nPRIOR AUDIT COVERAGE\n\nThe General Accounting Office had not issued any reports relating to operations of the\nComputer Center or its Federal Financial System. Our office, however, has issued one report\nduring the past 5 years relating to the Geological Survey\xe2\x80\x99s Federal Financial System.\n\nThe September 1992 report \xe2\x80\x9cImplementation of the Federal Financial System, U.S.\nGeological Survey\xe2\x80\x9d (No. 92-1-14 18) stated that the Federal Financial System had not been\nimplemented effectively and did not meet the requirements contained in the Joint Financial\nManagement Improvements Program\xe2\x80\x99s \xe2\x80\x9cCore Financial System Requirements.\xe2\x80\x9d These\nconditions occurred, according to the report, because the Geological Survey did not comply\nwith Office of Management and Budget and Departmental guidelines for establishing and\nmaintaining an integrated financial management system. The report also identified\ninadequate physical security at the Reston Automated Data Processing Facility. The\nGeological Survey generally agreed with our 19 recommendations and initiated actions to\ncorrect the deficiencies identified.\n\n                             RESULTS OF AUDIT\nThe House Office of Inspector General\xe2\x80\x99s audit report identified 42 weaknesses and made 70\nrecommendations for corrective actions to the Geological Survey and one recommendation\nfor corrective action to both the Geological Survey and the House\xe2\x80\x99s Chief Administrative\nOfficer. The report stated that the Geological Survey\xe2\x80\x99s General Purpose Computer Center\nhad operational internal controls that were inadequate. Specifically, weaknesses existed in\ndata center management and operations; mainframe computer system physical and logical\nsecurity; telecommunications security; protection of the local area network from\nunauthorized access and use; and contingency planning, including backup procedures for\npreventing data loss and for the recovery of data in case of a disaster. The Office of\nManagement and Budget and the National Institutes of Standards and Technology have\n\n                                             3\n\x0cissued numerous directives, policies, and guidelines requesting that Federal agencies\nestablish and implement computer security and controls to improve the safeguarding of\nsensitive information in Federal agencies\xe2\x80\x99 computer systems. However, the Computer\nCenter did not fully comply with these criteria because it did not: establish certain formal\ndata center policies, standards, and procedures; segregate duties adequately; comply with\nvendor guidelines for system operations; and develop a formal and comprehensive data\nsecurity program. Consequently, the Computer Center was susceptible to: unauthorized\nsystem access and data modification; errors and omissions during system start up and\nprocessing; and unauthorized facility or system access, which could lead to theft or\ndestruction of hardware, software, and information.\n\nThe control deficiencies noted in each of the functional aspects are summarized in the\nfollowing paragraphs.\n\nComputer Center Management and Operations\n\nThe House\xe2\x80\x99s September 3 report identified 8 weaknesses and made 17 recommendations\nregarding the Computer Center\xe2\x80\x99s management and operations. The report stated that the\nComputer Center had weaknesses in its management and operations that \xe2\x80\x9cposed significant\nrisks\xe2\x80\x9d to computer system availability, confidentiality, and reliability. These problems\nincluded the following:\n\n   - Inconsistent and inadequate security background checks and clearances for Computer\nCenter government and contractor employees.\n\n    - Poor controls over access to key support systems, such as the Internet, DOINET, and\nlocal area networks.\n\n    - Inadequate and inconsistently used software program change control procedures.\n\n    - Inadequate problem-resolution procedures.\n\n    - Lack of control over the labeling and distribution of sensitive computer-generated\nprintouts.\n\nMainframe Computer System Physical and Logical Security\n\nThe House\xe2\x80\x99s September 3 report identified 20 weaknesses and made 32 recommendations\nregarding the Computer Center\xe2\x80\x99s physical and logical security of its mainframe systems.\nThe report stated that the Computer Center did not comply with vendor guidelines and\ngenerally accepted industry practices in administering and implementing operating system\n\n\n\n                                             4\n\x0cand access security software controls on its mainframe computer. Some of these deficiencies\nincluded:\n\n    - Improper controls over critical operating system components, such as system start-up\nparameters and options and the authorized program facility.\n\n    - Unrestricted access to and use of powerful system programs, such as the Customer\nInformation Control System transaction utility programs.\n\n    - Inadequate controls over system programmer access to terminals capable of acting as\nthe master console terminal.\n\n   - Inadequate software change control procedures over modifications made to the\nCustomer Information Control System environment.\n\n    - Improper installation of and controls over security access control software.\n\n    - Improper controls over programmers and separated/termninated employees.\n\nTelecommunications Security\n\nThe House\xe2\x80\x99s September 3 report identified one weakness and made two recommendations\nregarding the Computer Center\xe2\x80\x99s telecommunications security. The report stated that\nunrestricted user access through the Internet posed integrity and security risks to internal\nsystems such as the mainframe computer and certain local area networks.\n\nLocal Area Network Protection\n\nThe House\xe2\x80\x99s September 3 report identified 10 weaknesses and made 17 recommendations\nregarding the Computer Center\xe2\x80\x99s local area network protection. The report stated that the\nGeological Survey did not provide proper controls in administering and managing its local\narea networks, which are connected to the mainframe computer that processes Federal\nFinancial System data. Problems related to the local area networks included the following:\n\n    - Inconsistent management and administration practices between three local area network\nservers.\n\n   - Improper controls over passwords on and general access to a particular local area\nnetwork.\n\n    - Inadequate controls over powerful access privileges (supervisor privileges) to the local\narea network.\n\n\n                                              5\n\x0c    - Lack of procedures for monitoring local area network access and usage.\n\n    - Incomplete and untested contingency, data backup, and data recovery in case of disaster\nplans to ensure the timely recovery and resumption of operations.\n\n    - Inadequate physical security controls to safeguard key network computer hardware.\n\n   - Inconsistent requirements for installing and using virus detection software on fileservers\nand workstations.\n\nContingency Planning, Backup, and Disaster Recovery\n\nThe House\xe2\x80\x99s September 3 report identified three weaknesses and made three\nrecommendations regarding the Computer Center\xe2\x80\x99s contingency planning, backup, and\ndisaster recovery procedures. The report stated that the Computer Center\xe2\x80\x99s contingency\nplanning, data backup, and disaster-recovery procedures for the Federal Financial System\nmainframe computer were inadequate and did not allow for complete business resumption.\n\nCorrective Actions\n\nThe Geological Survey and House management worked collaboratively with our office, the\nHouse\xe2\x80\x99s Office of Inspector General, and the contracted auditing firm to resolve key issues.\nAs a result of this collaborative effort, the Geological Survey was able to take immediate\ncorrective actions to resolve the deficiencies that could have adversely impacted the integrity\nand security of the processing of the House\xe2\x80\x99s financial data on the Federal Financial System.\nGeological Survey management also initiated efforts to correct the other deficiencies\nidentified, which were important to the overall integrity and security of data center\noperations. In its report, the House\xe2\x80\x99s Office of Inspector General stated that it believed that\nthe \xe2\x80\x9cactions taken and the continuing commitment demonstrated\xe2\x80\x9d by Geological Survey\nmanagement \xe2\x80\x9cto resolve the deficiencies identified has greatly reduced the risk\xe2\x80\x9d to the\nComputer Center\xe2\x80\x99s \xe2\x80\x9cprocessing environment.\xe2\x80\x9d\n\nU.S. Geological Survey Response and Office of Inspector General Reply\n\nThe Director, U.S. Geological Survey, responded to the House\xe2\x80\x99s draft report on August 20,\n1996. Based on this response, we considered 13 recommendations implemented and 58\nrecommendations resolved but not implemented. The unimplemented recommendations will\nbe referred to the Assistant Secretary for Policy, Management and Budget for tracking of\nimplementation (see the Appendix).\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued, actions taken to implement audit\n\n\n                                               6\n\x0crecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of U.S. Geological Survey personnel in the conduct of this\naudit.\n\x0c                                                                                        APPENDIX\n\n                                                                                           1\n         STATUS OF AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n       Reference                                  Status                     Action Required\n\n3E, 7B, 10A, 10B,                          Implemented.                No further action is\n13A, 15A, 15B, 18,22,                                                  required.\n23,25,41, and 42\n\n1A, lB, 2, 3A, 3B, 3C,                     Resolved; not               No further response to the\n3D, 4, 5A, 5B, 5C, 6A,                     implemented.                Department of the Interior\n6B, 8A, 8B, 9A, 9B, 9C,                                                Office of Inspector General\n11A, 11B, 11C, 12,                                                     is required. The\n13B, 14A, 14B, 14C, 16                                                 recommendations will be\n17, 19, 20A, 20B, 20C, 21                                              referred to the Assistant\n24A, 24B, 26,27,28,                                                    Secretary for Policy,\n29A, 29B, 30A, 30B,                                                    Management and Budget\n31A, 31B, 32A, 32B,                                                    for tracking of\n33A, 33B, 33C, 33D,                                                    implementation.\n34,35, 36A, 36B, 37,38\n39, and 40\n\n\n\n\nl\nFrom audit report \xe2\x80\x9cStronger Controls Needed Over The Data Processing Environment At The U.S. Geological\nSurvey, Reston General Purpose Computer Center,\xe2\x80\x9d dated September 3, 1996.\n\n                                                  8\n\x0c                       SHOULD BE REPORTED TO\n             THE OFFICE OF INSPECTOR GENERAL BY:\n\n\nSending written documents to:                         Calling:\n\n\n                   Within the Continental United States\n\nU.S. Departmnent of the Interior                Our 24-hour\nOffice of Inspector General                     Telephone HOTLINE\n1550 WiIson Boulevard                            1-800-424-5081 or\nSuite 402                                        (703) 235-9399\nArlington. Virginia 22210\n\n                                                 TDD for hearing impaired\n                                                 (703) 235-9403 or\n                                                 1-800-354-0996\n\n\n                   Outside the Continental United States\n\n\n\n\nU.S. Department of the Interior                 (703) 235-9221\nOffice of Inspector General\nEastern Division - Investigations\n1550 Wilson Boulevard\nSuite 410\nArlington, Virginia 22209\n\n\n\n\nU.S. Department of the Interior                 (700) 550-7279 or\nOffice of Inspector General                     COMM 9-011-671-472-7279\nNorth Pacific Region\n238 Archbishop F.C. Flores Street\nSuite 807, PDN Building\nAgana, Guam 96910\n\x0cHOTLINE\n\x0c'